OWASP

Last updated
OWASP
Types 501(c)(3) nonprofit organization
FocusWeb security, application security, vulnerability assessment
Coordinates 39°44′47″N75°33′03″W / 39.746343°N 75.5508357°W / 39.746343; -75.5508357 OOjs UI icon edit-ltr-progressive.svg
MethodIndustry standards, conferences, workshops
RevenueDecrease2.svg $2.3 million [1]
Total Assets1,669,244 United States dollar (2021)  OOjs UI icon edit-ltr-progressive.svg
Website owasp.org   OOjs UI icon edit-ltr-progressive.svg

The Open Web Application Security Project [2] (OWASP) is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the fields of IoT, system software and web application security. [3] [4] [5] The OWASP provides free and open resources. It is led by a non-profit called The OWASP Foundation. The OWASP Top 10 - 2021 is the published result of recent research based on comprehensive data compiled from over 40 partner organizations.

Contents

History

Mark Curphey started OWASP on September 9, 2001. [6] Jeff Williams served as the volunteer Chair of OWASP from late 2003 until September 2011. As of 2015, Matt Konda chaired the Board. [7]

The OWASP Foundation, a 501(c)(3) non-profit organization in the US established in 2004, supports the OWASP infrastructure and projects. Since 2011, OWASP is also registered as a non-profit organization in Belgium under the name of OWASP Europe VZW. [8]

In February 2023, it was reported by Bil Corry, a OWASP Foundation Global Board of Directors officer, [9] on Twitter [2] that the board had voted for renaming from the Open Web Application Security Project to its current name, replacing Web with Worldwide.

Publications and resources

Certifications

They have several certification schemes to certify the knowledge of students in particular areas of security.

Security Fundamentals

Baseline set of security standards applicable across technology stacks teaching learners about the OWASP top ten vulnerabilities. [26]

Awards

The OWASP organization received the 2014 Haymarket Media Group SC Magazine Editor's Choice award. [4] [37]

See also

Related Research Articles

An exploit is a method or piece of code that takes advantage of vulnerabilities in software, applications, networks, operating systems, or hardware, typically for malicious purposes. The term "exploit" derives from the English verb "to exploit," meaning "to use something to one’s own advantage." Exploits are designed to identify flaws, bypass security measures, gain unauthorized access to systems, take control of systems, install malware, or steal sensitive data. While an exploit by itself may not be a malware, it serves as a vehicle for delivering malicious software by breaching security controls.

Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. During the second half of 2007, XSSed documented 11,253 site-specific cross-site vulnerabilities, compared to 2,134 "traditional" vulnerabilities documented by Symantec. XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner network.

Vulnerabilities are flaws in a computer system that weaken the overall security of the system.

A penetration test, colloquially known as a pentest, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment. The test is performed to identify weaknesses, including the potential for unauthorized parties to gain access to the system's features and data, as well as strengths, enabling a full risk assessment to be completed.

In the context of software engineering, software quality refers to two related but distinct notions:

Application security includes all tasks that introduce a secure software development life cycle to development teams. Its final goal is to improve security practices and, through that, to find, fix and preferably prevent security issues within applications. It encompasses the whole application life cycle from requirements analysis, design, implementation, verification as well as maintenance.

Security testing is a process intended to detect flaws in the security mechanisms of an information system and as such help enable it to protect data and maintain functionality as intended. Due to the logical limitations of security testing, passing the security testing process is not an indication that no flaws exist or that the system adequately satisfies the security requirements.

Threat modeling is a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified and enumerated, and countermeasures prioritized. The purpose of threat modeling is to provide defenders with a systematic analysis of what controls or defenses need to be included, given the nature of the system, the probable attacker's profile, the most likely attack vectors, and the assets most desired by an attacker. Threat modeling answers questions like "Where am I most vulnerable to attack?", "What are the most relevant threats?", and "What do I need to do to safeguard against these threats?".

ModSecurity, sometimes called Modsec, is an open-source web application firewall (WAF). Originally designed as a module for the Apache HTTP Server, it has evolved to provide an array of Hypertext Transfer Protocol request and response filtering capabilities along with other security features across a number of different platforms including Apache HTTP Server, Microsoft IIS and Nginx. It is free software released under the Apache license 2.0.

Open security is the use of open source philosophies and methodologies to approach computer security and other information security challenges. Traditional application security is based on the premise that any application or service relies on security through obscurity.

Security information and event management (SIEM) is a field within computer security that combines security information management (SIM) and security event management (SEM) to enable real-time analysis of security alerts generated by applications and network hardware. SIEM systems are central to security operations centers (SOCs), where they are employed to detect, investigate, and respond to security incidents. SIEM technology collects and aggregates data from various systems, allowing organizations to meet compliance requirements while safeguarding against threats.

DevOps is a methodology integrating and automating the work of software development (Dev) and information technology operations (Ops). It serves as a means for improving and shortening the systems development life cycle. DevOps is complementary to agile software development; several DevOps aspects came from the agile approach.

In computer security, a threat is a potential negative action or event enabled by a vulnerability that results in an unwanted impact to a computer system or application.

A web application firewall (WAF) is a specific form of application firewall that filters, monitors, and blocks HTTP traffic to and from a web service. By inspecting HTTP traffic, it can prevent attacks exploiting a web application's known vulnerabilities, such as SQL injection, cross-site scripting (XSS), file inclusion, and improper system configuration. Most of the major financial institutions utilize WAFs to help in the mitigation of web application 'zero-day' vulnerabilities, as well as hard to patch bugs or weaknesses through custom attack signature strings.

<span class="mw-page-title-main">ZAP (software)</span> Open-source web application security scanner

ZAP is a dynamic application security testing tool published under the Apache License. When used as a proxy server it allows the user to manipulate all of the traffic that passes through it, including HTTPS encrypted traffic. It can also run in a daemon mode which is then controlled via a REST-based API.

RIPS is a static code analysis software, designed for automated detection of security vulnerabilities in PHP and Java applications. The initial tool was written by Johannes Dahse and released during the Month of PHP Security in May 2010 as open-source software. The open-source version is released under the GNU Lesser General Public License and was maintained until 2013.

"Serverless computing is a cloud service category in which the customer can use different cloud capabilities types without the customer having to provision, deploy and manage either hardware or software resources, other than providing customer application code or providing customer data. Serverless computing represents a form of virtualized computing." according to ISO/IEC 22123-2 Function as a service and serverless database are two forms of serverless computing.

A threat actor, bad actor or malicious actor is either a person or a group of people that take part in an action that is intended to cause harm to the cyber realm including: computers, devices, systems, or networks. The term is typically used to describe individuals or groups that perform malicious acts against a person or an organization of any type or size. Threat actors engage in cyber related offenses to exploit open vulnerabilities and disrupt operations. Threat actors have different educational backgrounds, skills, and resources. The frequency and classification of cyber attacks changes rapidly. The background of threat actors helps dictate who they target, how they attack, and what information they seek. There are a number of threat actors including: cyber criminals, nation-state actors, ideologues, thrill seekers/trolls, insiders, and competitors. These threat actors all have distinct motivations, techniques, targets, and uses of stolen data. See Advanced persistent threats for a list of identified threat actors.

Milton Smith is an American computer security application developer, researcher, and writer. Smith is best known for his role leading Java platform security at Oracle during a period of high-profile security incidents in the fall of 2012. Due to the climate around Java security, in 2013 Smith was invited to present by Black Hat leadership in a closed session under Non-Disclosure Agreement to top industry leaders. In the same year Smith established the first ever full security track at a software developers conference, JavaOne, Oracle's premier conference for Java software developers in San Francisco, California(USA).

Code Dx, Inc. was an American software technology company active from 2015 to 2021. The company's flagship product, Code Dx, is a vulnerability management system that combines and correlates the results generated by a wide variety of static and dynamic testing tools. In 2021, the company was acquired by Synopsys.

References

  1. "OWASP FOUNDATION INC". Nonprofit Explorer. ProPublica. May 9, 2013. Retrieved January 8, 2020.
  2. 1 2 Corry, Bil [@bilcorry] (February 25, 2023). "A change you might notice about @owasp , the Board voted to change the "W" from "Web" to "Worldwide", making it the "Open Worldwide Application Security Project"" (Tweet). Retrieved July 7, 2024 via Twitter.
  3. "OWASP top 10 vulnerabilities". developerWorks. IBM. April 20, 2015. Retrieved November 28, 2015.
  4. 1 2 "SC Magazine Awards 2014" (PDF). Media.scmagazine.com. Archived from the original (PDF) on September 22, 2014. Retrieved November 3, 2014.
  5. "OWASP Internet of Things" . Retrieved December 26, 2023.
  6. 1 2
  7. "Board". OWASP. Archived from the original on September 16, 2017. Retrieved February 27, 2015.
  8. "OWASP Europe". OWASP. Archived from the original on April 17, 2016. Retrieved July 7, 2024.
  9. "Global Board". owasp.org. Archived from the original on April 29, 2024. Retrieved July 7, 2024.
  10. "OWASP Top Ten". owasp.org. Archived from the original on July 6, 2024. Retrieved July 7, 2024.
  11. Trevathan, Matt (October 1, 2015). "Seven Best Practices for Internet of Things". Database and Network Journal. Archived from the original on November 28, 2015.
  12. Crosman, Penny (July 24, 2015). "Leaky Bank Websites Let Clickjacking, Other Threats Seep In". American Banker. Archived from the original on November 28, 2015.
  13. Pauli, Darren (December 4, 2015). "Infosec bods rate app languages; find Java 'king', put PHP in bin". The Register. Retrieved December 4, 2015.
  14. "Payment Card Industry (PCI) Data Security Standard" (PDF). PCI Security Standards Council. November 2013. p. 55. Retrieved December 3, 2015.
  15. "Open Web Application Security Project Top 10 (OWASP Top 10)". Knowledge Database. Synopsys. Synopsys, Inc. 2017. Retrieved July 20, 2017. Many entities including the PCI Security Standards Council, National Institute of Standards and Technology (NIST), and the Federal Trade Commission (FTC) regularly reference the OWASP Top 10 as an integral guide for mitigating Web application vulnerabilities and meeting compliance initiatives.
  16. "Authorization remains #1 issue - OWASP 2023 Top 10 List". Cerbos. Retrieved September 2, 2024.
  17. "What is OWASP SAMM?". OWASP SAMM. Retrieved November 6, 2022.
  18. Pauli, Darren (September 18, 2014). "Comprehensive guide to obliterating web apps published". The Register. Retrieved November 28, 2015.
  19. Baar, Hans; Smulters, Andre; Hintzbergen, Juls; Hintzbergen, Kees (2015). Foundations of Information Security Based on ISO27001 and ISO27002 (3 ed.). Van Haren. p. 144. ISBN   9789401800129.
  20. "Category:OWASP XML Security Gateway Evaluation Criteria Project Latest". Owasp.org. Archived from the original on November 3, 2014. Retrieved November 3, 2014.
  21. "OWASP Incident Response Project - OWASP". Archived from the original on April 6, 2019. Retrieved December 12, 2015.
  22. "OWASP AppSec Pipeline". Open Web Application Security Project (OWASP). Archived from the original on January 18, 2020. Retrieved February 26, 2017.
  23. "AUTOMATED THREATS to Web applications" (PDF). OWASP. July 2015.
  24. "OWASP Automated Threats to Web Applications". owasp.org. Archived from the original on June 29, 2024. Retrieved July 7, 2024.
  25. "OWASP API Security Project - OWASP Foundation". OWASP.
  26. "qa.com | Certified OWASP Security Fundamentals (QAOWASPF)". www.qa.com. Retrieved October 25, 2024.
  27. "A01 Broken Access Control - OWASP Top 10:2021". owasp.org. Retrieved October 25, 2024.
  28. "A02 Cryptographic Failures - OWASP Top 10:2021". owasp.org. Retrieved October 25, 2024.
  29. "A03 Injection - OWASP Top 10:2021". owasp.org. Retrieved October 25, 2024.
  30. "A04 Insecure Design - OWASP Top 10:2021". owasp.org. Retrieved October 25, 2024.
  31. "A05 Security Misconfiguration - OWASP Top 10:2021". owasp.org. Retrieved October 25, 2024.
  32. "A06 Vulnerable and Outdated Components - OWASP Top 10:2021". owasp.org. Retrieved October 25, 2024.
  33. "A07 Identification and Authentication Failures - OWASP Top 10:2021". owasp.org. Retrieved October 25, 2024.
  34. "A08 Software and Data Integrity Failures - OWASP Top 10:2021". owasp.org. Retrieved October 25, 2024.
  35. "A10 Server Side Request Forgery (SSRF) - OWASP Top 10:2021". owasp.org. Retrieved October 25, 2024.
  36. "Server Side Request Forgery Prevention - OWASP Cheat Sheet Series". cheatsheetseries.owasp.org. Retrieved December 13, 2024.
  37. "Winners | SC Magazine Awards". Awards.scmagazine.com. Archived from the original on August 20, 2014. Retrieved July 17, 2014. Editor's Choice [...] Winner: OWASP Foundation
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.